Category Archives: Security

Huge Data Leak at Largest U.S. Bond Insurer

On Monday, KrebsOnSecurity notified MBIA Inc. — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.

A redacted screenshot of MBIA account information exposed to search engines.

A redacted screenshot of MBIA account information exposed to search engines.

MBIA Inc., based in Purchase, N.Y., is a public holding company that offers municipal bond insurance and investment management products. According to the firm’s Wiki page, MBIA, formerly known as the Municipal Bond Insurance Association, was formed in 1973 to diversify the holdings of several insurance companies, including Aetna, Fireman’s Fund, Travelers, Cigna and Continental.

Notified about the breach, the company quickly disabled the vulnerable site — mbiaweb.com. This Web property contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA that is slated to be acquired by BNY Mellon Corp.

“We have been notified that certain information related to clients of MBIA’s asset management subsidiary, Cutwater Asset Management, may have been illegally accessed,” said MBIA spokesman Kevin Brown. “We are conducting a thorough investigation and will take all measures necessary to protect our customers’ data, secure our systems, and preserve evidence for law enforcement.”

Brown said MBIA notified all current customers about the incident Monday evening, and that it planned to notify former customers today.

Some 230 pages of account statements from Cutwater had been indexed by Google, including account and routing numbers, balances, dividends and account holder names for the Texas CLASS (a local government investment pool) ; the Louisiana Asset Management Pool; the New Hampshire Public Deposit Investment Pool; Connecticut CLASS Plus; and the Town of Richmond, NH.

In some cases, the documents indexed by search engines featured detailed instructions on how to authorize new bank accounts for deposits, including the forms and fax numbers needed to submit the account information.

Bryan Seely, an independent security expert with Seely Security, discovered the exposed data using a search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Normally, Seely said, this type of database server is configured to serve information only to authorized users who are accessing the data from within a trusted, private network — and certainly not open to the Web.

Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server.

“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely said. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard. What happens to those states when the money disappears?”

A misconfigured Oracle reports server can expose massive troves of sensitive data, a fact documented time and again by another independent researcher — Dana Taylor of NI @root. If your organization depends on Oracle Reports Services, please ensure that your administrators have read and implemented Oracle’s advice on securing these systems.

The accidental disclosure of customer data from MBIA comes amid revelations that foreign hackers — possibly organized crime groups operating out of Russia — hacked into networks of JPMorgan Chase. In public filings last week, JPMorgan said the breach exposed names, addresses, email address and phone numbers for 76 million household accounts and seven million small businesses. However, JPMorgan said that it has no indication that account numbers were exposed in the break-in.

Update, 3:03 p.m. ET: Updated the first and second paragraphs to clarify that the Municipal Bond Insurance Association is a former name for MBIA Inc.

Apple updates definitions to prevent “iWorm” botnet malware on Macs

Among other items, the XProtect list now includes several iWorm variants.
Andrew Cunningham

In case you missed it over the weekend, MacRumors reports that Apple has updated OS X's built-in XProtect malware definitions list to include the Mac.BackDoor.iWorm malware we reported on late last week. The iWorm malware allegedly managed to infect more than 17,000 Macs worldwide, and it was apparently using a (now closed) Minecraftserverlists board on reddit to distribute the IP addresses of control servers to infected Macs.

XProtect was first introduced to OS X in Snow Leopard in response to the MacDefender malware that managed to infect some OS X systems back in 2011. While the complete list is only 40 items long as of this writing, OS X silently checks for XProtect updates daily, and Apple also uses the list to mandate the usage of up-to-date versions of Java and Flash. While XProtect doesn't do anything to clean existing infections, it can prevent new ones by telling users explicitly that they're attempting to install known malware.

Dr. Web, the antivirus vendor that first reported the existence of both the malware and the botnet, recommends that you buy its products to scan for and delete malware that may already be on your computer—researchers at antivirus companies can get the word out about new vulnerabilities, but they don't do it out of the goodness of their hearts. Developer Jacob Salmela has some instructions that can help you delete the malware manually.

Read on Ars Technica | Comments

Bugzilla 0-day can reveal 0-day bugs in OSS giants like Mozilla, Red Hat

C

Security firm Check Point Software Technologies used a flaw it discovered in the Perl programming language to hack into the popular Bugzilla bug-tracking system and add four users to the administrator group, giving them power to see the details of undisclosed vulnerabilities.

The bold demonstration, detailed in a private bug report made public on Monday, took advantage of a new class of flaws discovered by Check Point in the Perl programming language, allowing the organization to craft specific strings of text that essentially fooled Bugzilla's user database. Check Point created administrator accounts for mozilla.com, mozilla.org, bugzilla.org, and bugzilla.bugs in the system.

"This is not an SQL injection attack, this is something rather new," Shahar Tal, security research team leader at Check Point, told Ars. "This is part of research that we have been working on for a couple of months on a specific Perl issue. Bugzilla is a good example and sample, but it is not the only project that we were able to find vulnerabilities in."

Read 8 remaining paragraphs | Comments

FDA: Medical device cybersecurity necessary, but optional

The US Food and Drug Administration released guidance last week in which it suggested that medical-device manufacturers consider the dangers of hacking in the design of their products, while not requiring countermeasures.

The nine-page document informs companies of the agency's "current thinking" on the topic of cybersecurity. In it, the FDA recommended that companies assess any dangers on the intentional or unintentional misuse of a device in their design stage. In addition, medical devices and systems should detect and log attacks and allow technicians to react to such attacks, whether through patching a vulnerability or other action.

"The need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information," the agency stated, adding that "manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks."

Read 6 remaining paragraphs | Comments

White hat claims Yahoo and WinZip hacked by “shellshock” exploiters

Not the actual exploit.

A security researcher claims to have uncovered a botnet being built by Romanian hackers using the “Shellshock” exploit against servers on a number of high-profile domains, including servers at Yahoo and the utility software developer WinZip. Jonathan Hall, president and senior engineer of technology consulting firm Future South Technologies published a lengthy explanation of the exploits and his communications with the exploited on his company’s website this weekend and said that Yahoo had acknowledged finding traces of the botnet on two of its servers.

Hall found the botnet, he said, by tracking down the source of requests that probed one of his servers for vulnerable CGI server scripts that could be exploited using the Shellshock bash vulnerability. That security flaw allows an attacker to use those vulnerable server scripts to pass commands on to the local operating system,  potentially allowing the attacker take remote control of the server. Hall traced the probes back to a server at WinZip.com. He then used his own exploit of the bash bug to check the processes running on the WinZip server and identified a Perl script running there named ha.pl.

After extracting the contents of the script, Hall discovered that it was an Internet Relay Chat (IRC) bot similar to ones used to perform distributed denial of service attacks on IRC servers. However, as he examined it more closely, he found that it “appeared to focus more on shell interaction than DDoS capabilities,” he wrote. According to Hall, it takes remote control of the server, while using its IRC code to report back to an IRC channel (called, creatively, #bash). The code was also heavily commented in Romanian.

Read 6 remaining paragraphs | Comments

JPMorgan Hacked & Leaked Over 83 Million Customer Records

So yah last week we all discovered, OMG JPMorgan Hacked! This set a lot of people on edge as JPMorgan Chase & Co is the largest US bank by assets – so it’s pretty seriously business. The breach happened back in July and was only disclosed last Thursday due to a filing to the US [...] The post JPMorgan Hacked & Leaked Over 83...

Read the full post at darknet.org.uk

Copyright © 2014. Powered by WordPress & Romangie Theme.